On 07/10/2013 08:34 PM, KodaK wrote:
> On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo <natxo.ase...@gmail.com
> <mailto:natxo.ase...@gmail.com>> wrote:
> On 07/08/2013 07:44 PM, KodaK wrote:
> We've just discovered that AIX does not honor HBAC rules with
> ssh is fine.
> no AIX expericence, but I once overheard someone that did
> something like
> this using pam and apparently you could use the pam_permission module:
> so you could add this to /etc/pam.conf
> telnet auth requisite /usr/lib/security/pam_permission
> file=/etc/pam.groups.telnet found=allow
> and create the file /etc/pam.groups.telnet with info like this:
> in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
> denied access.
> You could even harden it even more with good old tcp_wrappers
> (hosts.allow, hosts.deny).
> If you have a config tool (cfengine, puppet, whatever), this could be
> quite easy to distribute once properly tested.
> Totally untested :-) but maybe worth a shot.
> Thanks. I'm stuck though.
> IBMs insistence on doing everything Not Unix in AIX is frustrating my
> 1) they don't use straight up PAM. They have some older version they
> include with the OS.
> 2) their version has very few modules that come with it. It does,
> however, have pam_permissions,
> but does not include pam_krb5.
> Here's the list:
> pam_aix pam_allowroot pam_mkuserhome pam_prohibit
> pam_allow pam_ckfile pam_permission pam_rhosts_auth
> That's a far cry from the 69 or so pam modules I see on Linux boxes.
> Before I can move on I have to get pam_krb5 to build for AIX and
> that's proving to be very difficult.
> I'm hoping the pam_hbac thing will pan out.
> I'm about ready to just yank Kerberos from the AIX machines and fall
> back to local authentication.
> The actual AIX admins seem to have no interest in helping me, so they
> can reap what they
> sow with their inaction and have to manage individual users on
> individual boxes.
How complex are your HBAC rules? Are they very dynamic or pretty static?
We might be able to tackle it from that side and come with something
custom that would work for your case but not in general.
I think PWT mail for the real data would be appropriate.
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list